#Is the onboard key manager enabled by default?

1 messages · Page 1 of 1 (latest)

dreamy granite
#

We have a fairly new installation of a 4 node C800 Fabric-IP MC in which we have had to replace one of the controllers... after this we got some errors because it claims there is a mismatch between the two nodes key store... which there is, because we were not aware that this was even used... (we do not use any encryption on volumes or aggregates). There is encryption on the cluster peering, but that seems to work fine... The would be resolved with a "security key-manager onboard sync" but it prompts for a password which we do not have... question is, if we can just disable the onboard keymanager on all nodes, or will that cause some downtime?

green vault
#

I hope you have the passphrase for your key manager! Otherwise you may need to go through the long and possibly painful process of decrypting everything and disabling the onboard key manager

#

If you happened to encrypt “vol0” (node root volumes) you won’t have a choice as they cannot be unencrypted (unless something changed)

proper gust
#

Ask NetApp to handle that. Or are you the service partner?

#

The technician who replaced the controller should have done the steps according to the Net2 guide which explains everything you need to check, especially when the key manager is active. The SSDs of a C800 will automatically use the key manager once it's activated (ok not 100% automatically, but if you click that big message in System Manager the authentication keys will be set for every disk).
This system is using NVMe SED, by default NVE/NAE is not being used once that's active.

#

Oh and to answer your question in the title: No, the onboard key manager is not enabled by default. One need to manually enable it, set a passphrase and then save the backup.

green vault
#

Good way to tell

security key-manager onboard show-backup

If it displays anything, then the key manager is definitely in use

toxic thicket
#

You absolutely need the passphrase! If you do not have it, you cannot get the TPM keys to a replaced node for example. This will give you headaches when you least expect it. As TMAC said, move everything to unencrypted aggregates, delete the encrypted aggr and then move everything back.

#

Sadly, there is no inplace decrypt, so you need a lot of temporary disks... but if you don't do it, you risk losing all your data